CVE-2025-48122

Awaiting Analysis Awaiting Analysis - Queue

BaseFortify

Publication date: 2025-06-09

Last updated on: 2026-04-23

Assigner: Patchstack

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light excel-like-price-change-for-woocommerce-and-wp-e-commerce-light allows SQL Injection.This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through <= 2.4.37.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2025-06-09

Last Modified

2026-04-23

Generated

2026-05-07

AI Q&A

2025-06-09

EPSS Evaluated

2026-05-05

NVD

CVE-2025-48122

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Powered Q&A

Can you explain this vulnerability to me?

CVE-2025-48122 is a high-severity SQL Injection vulnerability in the WordPress plugin "Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light" (up to version 2.4.37). It allows unauthenticated attackers to inject malicious SQL commands into the website's database, potentially manipulating or stealing data. This occurs because the plugin improperly neutralizes special elements used in SQL commands, making it vulnerable to injection attacks. [1]

How can this vulnerability impact me? :

This vulnerability can allow attackers to directly interact with your website's database without authentication. The impact includes potential data theft, unauthorized data manipulation, and other malicious database activities. Because of the high severity and ease of exploitation, it poses a significant risk to the confidentiality and integrity of your data. There is currently no official patch, but a virtual patch is available to mitigate attacks until a fix is released. [1]

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include applying Patchstack's virtual patch (vPatch) which blocks attacks targeting this SQL Injection vulnerability until an official fix is released. Users should apply this virtual patch promptly to prevent exploitation. Additionally, monitoring for signs of compromise and seeking professional incident response if a breach is suspected is recommended. [1]

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2025-48122

BaseFortify

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Powered Q&A

Ask Our AI Assistant

EPSS Chart